Organizations with poor privacy practices 80% more likely to suffer data breach

There’s a predictive relationship between responsible privacy practices and security outcomes, according to Osano.

privacy practices

Companies with inadequate data privacy practices are 80 percent more likely to suffer a data breach than those with the highest-ranked privacy practices and will face fines seven times larger than companies with the best scores in the event of a data breach.

Privacy issues

  • Companies with the lowest privacy scores lost 600% more records than high-scoring companies.
  • The worst privacy actors are the least likely to be able to retrospectively identify the root cause of a breach.
  • Of the entities that get breached, governments have the worst scores.
  • Educational and government websites are 15x more likely to experience a breach than commercial sites.

“In the face of nonstop breaches and increased data security awareness, consumer and shareholder confidence in businesses is slowly eroding. Businesses that fail to protect sensitive data will face serious negative consequences, and the report proves just how these phenomena move hand-in-hand.” said Osano CEO, Arlo Gilbert.

“There is a perception that privacy issues are akin to a speeding ticket – a risk worth running. Companies that don’t change their perception are facing higher odds of experiencing a data breach and losing the trust they’ve built with their customers.”

Third parties responsible for most data breaches

The average company shares its data with 730 different vendors, and according to the Internal Auditors Research Foundation, third parties were responsible for two out of every three data breaches.

Many companies are lagging behind current data privacy requirements. By prioritizing best-in-class privacy practices, companies can reduce the risk of security incidents and demonstrate trustworthiness to customers.

Human error: Understand the mistakes that weaken cybersecurity

43% of US and UK employees have made mistakes resulting in cybersecurity repercussions for themselves or their company, according to a Tessian report.

human error cybersecurity

With human error being a leading cause of data breaches today, the report examines why people make mistakes and how they can be prevented before they turn into breaches.

Human error: The impact on cybersecurity

When asked about what types of mistakes they have made, one-quarter of employees confessed to clicking on links in a phishing email at work. Employees aged between 31-40 were four times more likely than employees aged over 51 to click on a phishing email, while men were twice as likely as women to do so.

47% of employees cited distraction as a top reason for falling for a phishing scam. This was closely followed by the fact that the email looked legitimate (43%), with 41% saying the phishing email looked like it came from a senior executive or a well-known brand.

In addition to clicking on a malicious link, 58% of employees admitted to sending a work email to the wrong person, with 17% of those emails going to the wrong external party.

This simple error leads to serious consequences for both the individual and the company, who must report the incident to regulators as well as their customers. In fact, one-fifth of respondents said their company had lost customers as a result of sending a misdirected email, while 12% of employees lost their job.

The main reason cited for misdirected emails was fatigue (43%), closely followed by distraction (41%). With 57% of respondents saying they are more distracted when working from home, the sudden shift to remote working could make businesses more vulnerable to security incidents caused by human error.

How stress impacts cybersecurity

The report’s findings call for businesses to understand the impact stress and working cultures have on human error and cybersecurity, especially in light of the events of 2020. Employees revealed they make more mistakes when they are stressed (52%), tired (43%), distracted (41%) and working quickly (36%).

It is worrying, then, that 61% of respondents said their company has a culture of presenteeism that makes them work longer hours than they need to, while 46% of employees have experienced burnout.

Businesses should also be mindful of how the global pandemic, and the move to working from home, have impacted employees’ wellbeing and how that relates to security.

Jeff Hancock, a professor at Stanford University and expert in social dynamics, contributed to the report and said, “Understanding how stress impacts behavior is critical to improving cybersecurity.

The events of 2020 have meant that people have had to deal with incredibly stressful situations and a lot of change. And when people are stressed, they tend to make mistakes or decisions they later regret.

Sadly, hackers prey on this vulnerability. Businesses, therefore, need to educate employees on the ways a hacker might take advantage of their stress during these times, as well as the security incidents that can be caused by human error.”

human error cybersecurity

Why age matters

The report also shows that age, gender and industry play a role in people’s cybersecurity behaviors, revealing that a one-size-fits-all approach to cybersecurity training and awareness won’t work in preventing incidents of human error. Findings include:

  • Half of employees aged 18-30 say they have made mistakes that compromised their company’s cybersecurity, compared with 10% of workers over 51 who say the same.
  • 65% of 18-30 year-olds say they have sent an email to the wrong person, compared with 34% of those over 51.
  • 70% of employees who admitted to clicking a phishing email are aged between 18-40 years old. In comparison, just 8% of those over 51 said they had done the same.
  • Workers in the Technology industry were the most likely to click on links in phishing emails, with 47% of respondents in this sector admitting they had done so. This was closely followed by employees in Banking and Finance (45%).

Tim Sadler, CEO of Tessian said, “Cybersecurity training needs to reflect the fact that different generations have grown up with technology in different ways. It is also unrealistic to expect every employee to spot a scam or make the right cybersecurity decision 100% of the time.

“To prevent simple mistakes from turning into serious security incidents, businesses must prioritize cybersecurity at the human layer. This requires understanding individual employees’ behaviors and using that insight to tailor training and policies to make safe cybersecurity practices truly resonate.”

Most global brands fail to implement security controls to prevent data leakage and theft

The global pandemic has seen the web take center stage. Banking, retail and other industries have seen large spikes in web traffic, and this trend is expected to become permanent.

global brands security controls

Global brands fail to implement security controls

As attackers ramp up efforts to exploit this crisis, a slew of high-profile attacks on global brands and record-breaking fines for GDPR breaches have had little impact on client-side security and data protection deployments.

There’s a troubling lack of security controls required to prevent data theft and loss through client-side attacks like Magecart, formjacking, cross-site scripting, and credit card skimming. These attacks exploit vulnerable JavaScript integrations running on 99% of the world’s top websites, Tala Security reveals.

The report indicates that security effectiveness against JavaScript vulnerabilities is declining, despite high-profile attacks and repeated industry warnings over the past 18 months, including the largest GDPR fine to date.

Without controls, every piece of code running on websites – from every vendor included in the site owner’s website supply chain – can modify, steal or leak information via client-side attacks enabled by JavaScript.

In many cases, this data leakage is taking place via whitelisted, legitimate applications, without the website owner’s knowledge. What this report indicates is that data risk is everywhere and effective controls are rarely applied.

Key findings highlight the scale of vulnerability and that the majority of global brands fail to deploy adequate security controls to guard against client-side attacks.

JavaScript risk has increased in 2020

The average website includes content from 32 third-party JavaScript vendors, up slightly from 2019. JavaScript powers richness but also the framework of what renders on customer browsers, including images, style sheets, fonts, media and content from 1st party source- the site owner.

Content delivered by third-party JavaScript integrations

58% of the content that displays on customer browsers is delivered by third-party JavaScript integrations identified above.

This website supply chain leverages client-side connections that operate outside the span of effective control in 98% of sampled websites. The client-side is a primary attack vector for website attacks today.

Websites expose data to an average of 17 domains

Despite increasing numbers of high-profile breaches, forms, found on 92% of websites expose data to an average of 17 domains. This is PII, credentials, card transactions, and medical records.

While most users would reasonably expect this data to be accessible to the website owner’s servers and perhaps a payment clearing house, the analysis shows that this data is exposed to nearly 10X more domains than intended.

Nearly one-third of websites studied expose data to more than 20 domains. This provides some insight into how and why attacks like Magecart, formjacking and card skimming continue largely unabated.

No attack is more widespread than XSS

While other client-side attacks such as Magecart capture most of the headlines, no attack is more widespread than Cross-Site Scripting (XSS). This study found that 97% of websites are using dangerous JavaScript functions that could serve as injection points to initiate a DOM XSS attack.

Standards-based security controls exist that can prevent these attacks. They are infrequently applied.

Unfortunately, despite high-profile risks and the availability of controls, there has been no significant increase in the adoption of security capable of preventing client-side attacks:

  • Over 99% of websites are at risk from trusted, whitelisted domains like Google Analytics. These can be leveraged to exfiltrate data, underscoring the need for continuous PII leakage monitoring and prevention. This has significant implications for data privacy, and by extension, GDPR and CCPA.
  • 30% of the websites analyzed had implemented security policies – an encouraging 10% increase over 2019. However…
  • Only 1.1% of websites were found to have effective security in place – an 11% decline from 2019. It indicates that while deployment volume went up, effectiveness declined more steeply. The attackers have the upper hand largely because we are not playing effective defense.

New threat environment elements and global attack trends

There has been an increase in both cyberattack volume and breaches during the past 12 months in the U.S. This has prompted increased investment in cyber defense, with U.S. businesses already using an average of more than nine different cybersecurity tools, a VMware survey found.

threat environment elements

Key findings

  • 92% said attack volumes have increased in the last 12 months, the survey found.
  • 97% said their business has suffered a security breach in the last 12 months. The average organization said they experienced 2.70 breaches during that time, the survey found.
  • 84% said attacks have become more sophisticated, the survey found.
  • 95% said they plan to increase cyber defense spending in the coming year.
  • OS vulnerabilities are the leading cause of breaches, according to the survey, followed by web application attacks and ransomware.
  • US companies said they are using an average of 9 different security technologies to manage their security program, the survey found.

Common breach causes in U.S.

The most common cause of breaches in the U.S. was OS vulnerabilities (27%). This was jointly followed by web application attacks with 13.5% and ransomware with 13%. Island-hopping was the cause of 5% of breaches.

Rick McElroy, Cyber Security Strategist at VMware Carbon Black, said: “Island-hopping is having an increasing breach impact with 11% of survey respondents citing it as the main cause. In combination with other third-party risks such as third-party apps and the supply chain, it’s clear the extended enterprise is under pressure.”

Complex multi-technology environments

US cybersecurity professionals said they are using an average of more than nine different tools or consoles to manage their cyber defense program, the survey found. This indicates a security environment that has evolved reactively as security tools have been adopted to tackle emerging threats.

“Siloed, hard-to-manage environments hand the advantage to attackers from the start. Evidence shows that attackers have the upper hand when security is not an intrinsic feature of the environment. As the cyber threat landscape reaches saturation, it is time for rationalization, strategic thinking and clarity over security deployment,” said McElroy.

Supplemental COVID-19 survey in U.S.

The latest research was supplemented with a survey on the impact COVID-19 has had on the attack landscape. According to the supplemental survey of more than 1,000 respondents from the U.S., UK, Singapore and Italy, 88% of U.S. cybersecurity professionals said attack volumes have increased as more employees work from home. 89% said their organizations have experienced cyberattacks linked to COVID-19 malware.

Key findings from the supplemental U.S. COVID-19-focused survey:

  • 89% said they have been targeted by COVID-19-related malware.
  • Inability to institute multifactor authentication (MFA) was reported as the biggest security threat to businesses during COVID-19, the survey found.
  • 83% reported gaps in disaster planning around communications with external parties including customers, prospects, and partners.

Said McElroy: “The global situation with COVID-19 has put the spotlight on business resilience and disaster recovery planning. Those organizations that have delayed implementing multi-factor authentication appear to be facing challenges, as 32% of U.S. respondents say the inability to implement MFA is the biggest threat to business resilience they are facing right now.”

Exposing gaps in a disaster recovery plan

U.S. survey respondents were asked whether COVID-19 had exposed gaps in their disaster recovery plans, and to indicate the severity of those gaps. Their responses showed that:

  • 83% of respondents reported gaps in recovery planning, ranging from slight to severe.
  • 83% said they had uncovered gaps in IT operations.
  • 84% said they encountered problems around enabling a remote workforce.
  • 83% said they’ve experienced challenges communicating with employees
  • 83% said they had experienced difficulty communicating with external parties.
  • 63% said the situation uncovered gaps around visibility into cybersecurity threats.

“These figures indicate that the surveyed CISOs may be facing difficulty in a number of areas when answering the demands placed on them by the COVID-19 situation,” according to McElroy.

Risks directly related to COVID-19 have also quickly emerged, the survey found. This includes rises in COVID-19 malware which was seen by 89% of U.S. respondents.

Said McElroy: “The 2020 survey results suggest that security teams must be working in tandem with business leaders to shift the balance of power from attackers to defenders. We must also collaborate with IT teams and work to remove the complexity that’s weighing down the current model.

“By building security intrinsically into the fabric of the enterprise – across applications, clouds and devices – teams can significantly reduce the attack surface, gain greater visibility into threats, and understand where security vulnerabilities exist.”

2020: The year of increased attack sophistication

There was an increase in both cyberattack volume and breaches during the past 12 months in the U.S. This has prompted increased investment in cyber defense, with U.S. businesses already using an average of more than nine different cybersecurity tools, a VMware survey found.

2020 increased attack sophistication

Increased attack sophistication in 2020

Key survey findings from U.S. respondents:

  • 92% said attack volumes have increased in the last 12 months, the survey found.
  • 97% said their business has suffered a security breach in the last 12 months. The average organization said they experienced 2.70 breaches during that time, the survey found.
  • 84% said attacks have become more sophisticated, the survey found.
  • 95% said they plan to increase cyber defense spending in the coming year.
  • OS vulnerabilities are the leading cause of breaches, according to the survey, followed by web application attacks and ransomware.
  • US companies said they are using an average of 9 different security technologies to manage their security program, the survey found.

Common breach causes in U.S.

The most common cause of breaches in the U.S. was OS vulnerabilities (27%). This was jointly followed by web application attacks with 13.5% and ransomware with 13%. Island-hopping was the cause of 5% of breaches.

Rick McElroy, Cyber Security Strategist at VMware Carbon Black, said: “Island-hopping is having an increasing breach impact with 11% of survey respondents citing it as the main cause. In combination with other third-party risks such as third-party apps and the supply chain, it’s clear the extended enterprise is under pressure.”

Complex multi-technology environments

US cybersecurity professionals said they are using an average of more than nine different tools or consoles to manage their cyber defense program, the survey found. This indicates a security environment that has evolved reactively as security tools have been adopted to tackle emerging threats.

Said McElroy: “Siloed, hard-to-manage environments hand the advantage to attackers from the start. Evidence shows that attackers have the upper hand when security is not an intrinsic feature of the environment. As the cyber threat landscape reaches saturation, it is time for rationalization, strategic thinking and clarity over security deployment.”

Supplemental COVID-19 survey

The latest research was supplemented with a survey on the impact COVID-19 has had on the attack landscape. According to the supplemental survey of more than 1,000 respondents from the U.S., UK, Singapore and Italy, 88% of U.S. cybersecurity professionals said attack volumes have increased as more employees work from home. 89% said their organizations have experienced cyberattacks linked to COVID-19 malware.

Key findings from the supplemental U.S. COVID-19-focused survey:

  • 89% said they have been targeted by COVID-19-related malware.
  • Inability to institute multi-factor authentication (MFA) was reported as the biggest security threat to businesses during COVID-19, the survey found.
  • 83% reported gaps in disaster planning around communications with external parties including customers, prospects, and partners.

“The global situation with COVID-19 has put the spotlight on business resilience and disaster recovery planning. Those organizations that have delayed implementing multi-factor authentication appear to be facing challenges, as 32% of U.S. respondents say the inability to implement MFA is the biggest threat to business resilience they are facing right now,” said Said McElroy.

Gaps in disaster recovery plans

U.S. survey respondents were asked whether COVID-19 had exposed gaps in their disaster recovery plans, and to indicate the severity of those gaps. Their responses showed that:

  • 83% of respondents reported gaps in recovery planning, ranging from slight to severe.
  • 83% said they had uncovered gaps in IT operations.
  • 84% said they encountered problems around enabling a remote workforce.
  • 83% said they’ve experienced challenges communicating with employees.
  • 83% said they had experienced difficulty communicating with external parties.
  • 63% said the situation uncovered gaps around visibility into cybersecurity threats.

Said McElroy: “These figures indicate that the surveyed CISOs may be facing difficulty in a number of areas when answering the demands placed on them by the COVID-19 situation.”

2020 increased attack sophistication

Risks directly related to the pandemic have also quickly emerged, the survey found. This includes rises in COVID-19 malware which was seen by 89% of U.S. respondents.

Said McElroy: “The 2020 survey results suggest that security teams must be working in tandem with business leaders to shift the balance of power from attackers to defenders. We must also collaborate with IT teams and work to remove the complexity that’s weighing down the current model.

“By building security intrinsically into the fabric of the enterprise – across applications, clouds and devices – teams can significantly reduce the attack surface, gain greater visibility into threats, and understand where security vulnerabilities exist.”

70% of organizations experienced a public cloud security incident in the last year

70% of organizations experienced a public cloud security incident in the last year – including ransomware and other malware (50%), exposed data (29%), compromised accounts (25%), and cryptojacking (17%), according to Sophos.

public cloud security incident

Organizations running multi-cloud environments are greater than 50% more likely to suffer a cloud security incident than those running a single cloud.

Europeans suffered the lowest percentage of security incidents in the cloud, an indicator that compliance with GDPR guidelines are helping to protect organizations from being compromised. India, on the other hand, fared the worst, with 93% of organizations being hit by an attack in the last year.

“Ransomware, not surprisingly, is one of the most widely reported cybercrimes in the public cloud. The most successful ransomware attacks include data in the public cloud, according to the State of Ransomware 2020 report, and attackers are shifting their methods to target cloud environments that cripple necessary infrastructure and increase the likelihood of payment,” said Chester Wisniewski, principal research scientist, Sophos.

“The recent increase in remote working provides extra motivation to disable cloud infrastructure that is being relied on more than ever, so it’s worrisome that many organizations still don’t understand their responsibility in securing cloud data and workloads. Cloud security is a shared responsibility, and organizations need to carefully manage and monitor cloud environments in order to stay one step ahead of determined attackers.”

The unintentional open door: How attackers break in

Accidental exposure continues to plague organizations, with misconfigurations exploited in 66% of reported attacks. Misconfigurations drive the majority of incidents and are all too common given cloud management complexities.

Additionally, 33% of organizations report that cybercriminals gained access through stolen cloud provider account credentials. Despite this, only a quarter of organizations say managing access to cloud accounts is a top area of concern.

Data further reveals that 91% of accounts have overprivileged identity and access management roles, and 98% have multi-factor authentication disabled on their cloud provider accounts.

public cloud security incident

Public cloud security incident: The silver lining

96% of respondents admit to concern about their current level of cloud security, an encouraging sign that it’s top of mind and important.

Appropriately, “data leaks” top the list of security concerns for nearly half of respondents (44%); identifying and responding to security incidents is a close second (41%). Notwithstanding this silver lining, only one in four respondents view lack of staff expertise as a top concern.

MongoDB is subject to continual attacks when exposed to the internet

On average, an exposed Mongo database is breached within 13 hours of being connected to the internet. The fastest breach recorded was carried out 9 minutes after the database was set up, according to Intruder.

MongoDB attacks

MongoDB is a general purpose, document-based, distributed database that consistently ranks in the top 5 most-used databases worldwide. It is used by a wide range of organizations all over the globe to store and secure sensitive application and customer data.

There are 80,000 exposed MongoDB services on the internet, of which 20,000 were unsecured. Of those unsecured databases, 15,000 are already infected with ransomware.

How MongoDB attacks are carried out

After seeing how consistently database breaches were occurring, Intruder planted honeypots to find out how these attacks happen, where the threats are coming from, and how fast it takes place. Intruder set up a number of unsecured MongoDB honeypots across the web, each filled with fake data. The network traffic was monitored for malicious activity and if password hashes were exfiltrated and seen crossing the wire, this would indicate that a database was breached.

The research shows that MongoDB is subject to continual attacks when exposed to the internet. Attacks are carried out automatically and indiscriminately and on average an unsecured database is compromised less than 24 hours after going online.

At least one of the honeypots was held to ransom within a minute of connecting. The attacker erased the database’s tables and replaced them with a ransom note, requesting payment in Bitcoin for recovery of the data:

MongoDB attacks

Where do attacks come from?

Attacks originated from locations all over the globe, though attackers routinely hide their true location, so there’s often no way to tell where attacks are really coming from. The fastest breach came from an attacker from Russian ISP Skynet and over half of the breaches originated from IP addresses owned by a Romanian VPS provider.

“It’s quite possible that some of the activity recorded was from security researchers looking for their next headline or data for their breach database. However, when it comes to a company’s security reputation, it often doesn’t matter whether the data is breached by a malicious attacker or a well-meaning researcher,” said Chris Wallis, CEO, Intruder.

“Even if security teams can detect an unsecured database and recognise its potential severity, responding to and containing such a misconfiguration in less than 13 hours may be a tall order, let alone in under 9 minutes. Prevention is a much stronger defence than cure.”

Ransomware attacks are increasing, do you have an emergency plan in place?

39% of organizations either have no ransomware emergency plan in place or are not aware if one exists. This is despite more ransomware attacks being recorded in the past 12 months than ever before, Ontrack reveals.

ransomware emergency plan

Cyberattacks and data breaches can have serious implications for organizations in terms of downtime, financial damage and reputation of the business. Ransomware attacks that seek to encrypt a victim’s data and demand a fee to restore it continue to be prevalent. Unfortunately, the damage caused can be severe and widespread.

The largest ransomware attack to date – WannaCry – was estimated to have affected more than 200,000 computers across 150 separate countries. Ransomware today is rife and has been exacerbated by the current work-from-home trend.

Working backup access denied

21% of the survey respondents said they had experienced a ransomware attack, and of those, 26% admitted they couldn’t access any working backup after the attack. Even when organizations could access a working backup, 22% of them could either only restore a partial amount of data or none at all.

In most countries, employees have been working under a completely different set of parameters for a couple of months; ones where new security risks are high and where cybercriminals are finding new ways to exploit any weaknesses they can find.

“We have seen a sharp increase in the number of ransomware cases since lockdown began,” comments Philip Bridge, president of Ontrack. “Unfortunately, this is at a time when more distractions at home have led to an increased amount of complacency by staff. For example, clicking on ransomware- infected links that they wouldn’t click if they were in the office.”

Remote working creating major vulnerabilities

Whilst there are numerous benefits, the remote working seen during lockdown can leave a business’s IT network and systems vulnerable. It adds a huge number of endpoints to organizations that may not have been there previously. Plus, many of them are considered shadow IT and have not been vetted by the employer.

“The threat of ransomware has never been greater. The fact that only 39% of respondents to our survey have an emergency plan in place for a ransomware attack is shocking. They are gambling with their and their customer’s data.

“It is imperative, now as ever, to ensure your organization has processes and procedures in place to mitigate the impact of any cyber-attack and protect sensitive data,” adds Bridge.

Study of global hackers and the economics of security research

Human ingenuity supported by actionable intelligence were found to be critical ingredients to maintaining a resilient infrastructure, Bugcrowd reveals. In fact, 78% of hackers indicated AI-powered cybersecurity solutions alone aren’t enough to outmaneuver cyber attacks over the next decade.

economics of security research

87% of hackers say that scanners cannot find as many critical or unknown assets as humans. While 2019 was a record year for data breaches, the report found that hackers prevented $8.9B of cybercrime in 2019 and earned 38% more than they did in the previous period.

In the next five years, hackers are projected to prevent more than $55 billion in cybercrime for organizations worldwide.

“Hackers will always be one step ahead of AI when it comes to cybersecurity because humans are not confined by the logical limitations of machine intelligence,” said Jasmin Landry, top-ranked Bugcrowd hacker.

“For example, hackers can adapt four to five low-impact bugs to exploit a single high-impact attack vector that AI would likely miss without the creative flexibility of human decision-making.

“Experience allows hackers to recognize vulnerable misconfigurations that represent a true risk to organizations without all of the false positives that typically come with AI-powered solutions.”

The next generation of hackers are younger and neurologically diverse

Hacking as a profession is lucrative and highly attractive to young people, with 53% of hackers under the age of 24.

Remarkably, the report uncovered that 13% of hackers are neurodiverse and possess neurological advantages that help them provide extraordinary depth and dimension in security testing. These unique strengths include exceptional memory skills, heightened perception, a precise eye for detail, and an enhanced understanding of systems.

6% of neurodiverse hackers experience Attention-Deficit/Hyperactivity Disorder (AD/HD) and thrive in environments of rapid change, such as security research, where creativity and out-of-the-box thinking are rewarded generously.

Career hacking and the economics of security research

The research found that hackers live on six continents and reside in more than 100 countries worldwide. Most notably, the report identified an 83% growth in respondents living in India and 73% of hackers speak two or more languages.

“Having started my career as a hacker, I understand that cybersecurity is inherently a human problem. ‘The power of the crowd’ in crowdsourced cybersecurity is rooted in being able to look at the same thing as everyone else and see something else”, said Adrian Ludwig, CISO at Atlassian.

Social responsibility on the rise among businesses, hackers

A growing social responsibility trend among businesses and hackers was uncovered. 93% of hackers primarily hack out of care for the well-being of the organizations with which they work. Additionally, organizations made five-times the number of coordinated disclosures in the last twelve months.

“The exponential growth of these disclosures highlights the value of transparency to stakeholders and demonstrates organizations are taking social responsibility more seriously than ever,” said Casey Ellis, CTO of Bugcrowd.

COVID-19 increasing demand for career hackers

The FBI reported a 400% rise in cybercrime after COVID-19 was declared a pandemic and organizations are investing more in bug bounty programs as a result. 61% of hackers have noticed an increase in available bug bounty programs to participate in due to widespread remote working conditions related to the COVID-19.

“We are in unprecedented territory – and COVID-19 has forced many businesses to accelerate digital transformation efforts,” said Ashish Gupta, CEO and president of Bugcrowd.

“The rush to digitize businesses can create serious lapses in security and organizations are turning to bug bounty programs to proactively safeguard new products and applications against vulnerabilities.”

Like the larger security industry, career hackers also noted concerns about COVID-related fraud. 48% of hackers believe the healthcare industry is the most vulnerable to cybercrime during the unfolding crisis, followed by education and community support (17%) and government and military (16%).

Additionally, as the government faces the potential impact of COVID-19 on the upcoming 2020 US Presidential election, 72% of hackers independently reported that they do not trust alternative polling methods, like electronic polling or mail-in ballots.

Cybercriminals exposed 5 billion records in 2019, costing U.S. organizations over $1.2 trillion

Cybercriminals exposed over 5 billion records in 2019, costing over $1.2 trillion to U.S. organizations, according to ForgeRock. Coupled with breaches in 2018 costing over $654 billion, breaches over the last two years have cost U.S. organizations over $1.8 trillion.

cybercriminals exposed records

Healthcare: The most targeted industry

Healthcare emerged as the most targeted industry in 2019, accounting for 382 breaches and costing over $2.45B, an increase from 164 incidents costing over $633 million in 2018.

Despite healthcare being the most frequently targeted industry, technology firms had the highest number of records compromised from breaches with over 1.37 billion exposed in 2019 costing a total of over $250 billion.

Personally identifiable information (PII) remained as the most targeted data by attackers and was exposed in 98% of 2019 breaches, up from 97% in 2018.

  • Unauthorized access was the most common attack vector used in 2019, responsible for 40% of breaches, followed by ransomware and malware at 15% and phishing at 14%.
  • By targeting PII and leveraging unauthorized access, cybercriminals highlight how weaknesses in enterprises’ identity and access management (IAM) practices increasingly allow for greater volumes and more sensitive types of data to be pilfered.
  • In fact, social security numbers (SSNs) were the most targeted type of data compromised as they were exposed in 384 breaches in 2019.

“Cybercriminals continue to refine their attack vectors and can execute a greater volume of attacks than ever before to pilfer consumer data,” said Eve Maler, CTO, ForgeRock.

“The Consumer Identity Breach Report’s findings demonstrate that no industry is safe. Enterprises need to critically evaluate their digital identity management strategies for weaknesses.

“Given that there are new pressures to tear down the corporate castle walls for access by bring-your-own devices, temporary workers and outside applications, organizations must deploy a modern platform that provides intelligent, contextual and continuous security that can prompt for identity validation after detecting anomalous behavior. They can then ensure more layers of security between threat actors and consumer data while delivering superior experiences to their legitimate users.”

cybercriminals exposed records

Cybercriminals and exposed records: 2020 is set to outpace 2019

Based on Q1 2020 data, 2020 is set to outpace 2019 in terms of records breached, despite the fact the number of breaches tracks down by 57%. There have been 92 data breaches affecting 1.6 billion records in Q1 2020 alone, 9% more records than Q1 2019.

Healthcare is still the most breached industry in Q1 2020, accounting for 51% of the incidents, which may be due to attackers targeting strained healthcare organizations amid the COVID-19 pandemic. However, the most records exposed throughout Q1 2020 have been from social media firms.

Key findings

  • Following healthcare, the banking/insurance/financial industry was the second most targeted in 2019, accounting for 12% of all breaches. This is followed by education (7%), government (5%) and retail (5%).
  • Social security numbers and date of birth details were the most targeted data – accounting for 37% of breached information, yet this is down from 54% in 2018.
  • Name and addresses (18%) and personal health information (17%) were the second and third most breached data types, respectively.
  • Medical records are the most sought-after type of PII in Q1 2020, accounting for 25% of all exposed data.

Most companies suffered a cloud data breach in the past 18 months

Nearly 80% of the companies had experienced at least one cloud data breach in the past 18 months, and 43% reported 10 or more breaches, a new Ermetic survey reveals.

cloud data breach

According to the 300 CISOs that participated in the survey, security misconfiguration (67%), lack of adequate visibility into access settings and activities (64%) and identity and access management (IAM) permission errors (61%) were their top concerns associated with cloud production environments.

Meanwhile, 80% reported they are unable to identify excessive access to sensitive data in IaaS/PaaS environments. Only hacking ranked higher than misconfiguration errors as a source of data breaches.

“Even though most of the companies surveyed are already using IAM, data loss prevention, data classification and privileged account management products, more than half claimed these were not adequate for protecting cloud environments,” said Shai Morag, CEO of Ermetic.

“In fact, two thirds cited cloud native capabilities for authorization and permission management, and security configuration as either a high or an essential priority.”

Excessive access permissions may go unnoticed

Driven by the dynamic and on-demand nature of public cloud infrastructure deployments, users and applications often accumulate access permissions beyond what is necessary for their legitimate needs.

Excessive permissions may go unnoticed as they are often granted by default when a new resource or service is added to the cloud environment. These are a primary target for attackers as they can be used for malicious activities such as stealing sensitive data, delivering malware or causing damage such as disrupting critical processes and business operations.

cloud data breach

Survey highlights

As part of the study, IDC surveyed 300 senior IT decision makers in the US across the Banking (12%), Insurance (10%), Healthcare (11%), Government (8%), Utilities (9%), Manufacturing (10%), Retail (9%), Media (11%), Software (10%) and Pharmaceutical (10%) sectors. Organizations ranged in size from 1,500 to more than 20,000 employees.

Some of the report’s key findings include:

  • 79% of companies experienced at least one cloud data breach in the past 18 months, and 43% said they had 10 or more
  • Top three cloud security threats are security misconfiguration of production environments (67%), lack of visibility into access in production environments (64%) and improper IAM and permission configurations (61%)
  • Top three cloud security priorities are compliance monitoring (78%), authorization and permission management (75%), and security configuration management (73%)
  • Top cloud access security priorities are maintaining confidentiality of sensitive data (67%), regulatory compliance (61%) and providing the right level of access (53%)
  • Top cloud access security challenges are insufficient personal/expertise (66%), integrating disparate security solutions (52%) and lack of solutions that can meet their needs (39%)

Despite lower number of vulnerability disclosures, security teams have their work cut out for them

The number of vulnerabilities disclosed in Q1 2020 has decreased by 19.8% compared to Q1 2019, making this likely the only true dip observed within the last 10 years, Risk Based Security reveals.

vulnerabilities disclosed Q1 2020

Vulnerabilities of interest disclosed in Q1 2020

Vulnerabilities disclosed in Q1 2020: What happened?

Many factors have been identified as potential contributors to this decline, including the COVID-19 pandemic, though its precise impact may not be known for another year.

“Although the pandemic has already brought unprecedented changes to all walks of life, it is difficult to predict precisely how it will impact vulnerability disclosures this year,” commented Brian Martin, Vice President of Vulnerability Intelligence at Risk Based Security.

“It is possible, as we’ve seen with data breaches, that some researchers and companies may be slower to disclose vulnerabilities. Between drastic changes in work environments and a global pandemic, vulnerability disclosure totals may be directly impacted.”

Many vulnerabilities lacking detail in CVE

Despite the lower total number of vulnerability disclosures in Q1, security teams have their work cut out for them. 561 vulnerabilities have been identified that have a public exploit, yet do not have any detail in CVE.

Worse, 60.2% of those vulnerabilities are remotely exploitable. This is problematic for many organizations that rely on security tools that are based on CVE data and have little in the way of detection and mitigation.

vulnerabilities disclosed Q1 2020

Top ten products by vulnerability disclosures in Q1 2020, as compared to 2019

“Those vulnerabilities include issues such as remote authentication bypass, stored XSS, SQL injection, information disclosure, denial of service, and more,” Mr. Martin concluded.

“Some of these vulnerabilities are present in software from Symantec, Apple, Atlassian, ManageEngine, Nextcloud, Jetbrains, and IBM to name a few. That should give pause to anyone who has to come up with a mitigation strategy where patching ‘in the right order’ becomes a key strategy.”

Why is SDP the most effective architecture for zero trust strategy adoption?

Software Defined Perimeter (SDP) is the most effective architecture for adopting a zero trust strategy, an approach that is being heralded as the breakthrough technology for preventing large-scale breaches, according to the Cloud Security Alliance.

SDP zero trust

“Most of the existing zero trust security measures are applied as authentication and sometimes authorization, based on policy after the termination of Transport Layer Security (TLS) certificates,” said Nya Alison Murray, senior ICT architect and co-lead author of the report.

Network segmentation and the establishment of micro networks, which are so important for multi-cloud deployments, also benefit from adopting a software-defined perimeter zero trust architecture.”

SDP improves security posture

A zero trust implementation using SDP enables organizations to defend new variations of old attack methods that are constantly surfacing in existing network and infrastructure perimeter-centric networking models.

Implementing SDP improves the security posture of businesses facing the challenge of continuously adapting to expanding attack surfaces that are, in turn, increasingly more complex.

Network security implementation issues

The report notes particular issues that have arisen that require a rapid change in the way network security is implemented, including the:

  • Changing perimeter, whereby the past paradigm of a fixed network perimeter, with trusted internal network segments protected by network appliances such as load balancers and firewalls has been superseded by virtualized networks, and the ensuing realization that the network protocols of the past are not secure-by-design.
  • IP address challenge, noting that IP addresses lack any type of user knowledge to validate the trust of the device. With no way for an IP address to have user context, they simply provide connectivity information but do not get involved in validating the trust of the endpoint or the user.
  • Challenge of implementing integrated controls. Visibility and transparency of network connections is problematic in the way networks and cyber security tools are implemented. Today, integration of controls is performed by gathering data in a SIEM for analysis.

C-suite execs often pressure IT teams to make security exceptions for them

The C-suite is the most likely group within an organization to ask for relaxed mobile security protocols (74%) – despite also being highly targeted by malicious cyberattacks, according to MobileIron.

make security exceptions

The study combined research from 300 enterprise IT decision makers across Benelux, France, Germany, the U.K. and the U.S., as well as 50 C-level executives from both the U.K. and the U.S. The study revealed that C-level executives feel frustrated by mobile security protocols and often request to bypass them.

Make security exceptions for the C-suite

  • 68% of C-level executives said IT security compromises their personal privacy, while 62% said security limits the usability of their device, and 58% claimed IT security is too complex to understand.
  • 76% of C-level executives admitted to requesting to bypass one or more of their organization’s security protocols last year. Of these, 47% requested network access to an unsupported device, 45% requested to bypass multi-factor authentication (MFA) and 37% requested access to business data on an unsupported app.

“These findings are concerning because all of these C-suite exemptions drastically increase the risk of a data breach,” said Brian Foster, SVP Product Management, MobileIron.

“Accessing business data on a personal device or app takes data outside of the protected environment, leaving critical business information exposed for malicious users to take advantage of. Meanwhile, MFA – designed to protect businesses from the leading cause of data breaches, stolen credentials – is being side-stepped by C-Suite execs.”

C-level execs highly vulnerable to cyberattacks

The study also revealed that C-level execs are highly vulnerable to cyberattacks:

  • 78% of IT decision makers stated that the C-suite is the most likely to be targeted by phishing attacks, and 71% claimed the C-suite is the most likely to fall victim to such attacks.
  • 72% of IT decision makers claimed the C-suite is the most likely to forget or need help with resetting their passwords.

“These findings highlight a point of tension between business leaders and IT departments. IT views the C-suite as the weak link when it comes to cybersecurity, while execs often see themselves as above security protocols,” said Foster.

“In today’s modern enterprise, cybersecurity can’t be an optional extra. Businesses need to ensure they have a dynamic security foundation in place that works for everyone within the organization. This means that mobile security must be easy to use, while also ensuring that employees at every level of the business can maintain maximum productivity without interference, and without feeling that their own personal privacy is being compromised.”

Account credentials of 26+ million LiveJournal users leaked online

A data dump containing account information of over 26 million LiveJournal users has been offered for sale on dark web marketplaces and is now being shared for free on underground hacker forums.

livejournal data dump

The data dump, supposedly originating from a 2014 LiveJournal breach, contains email addresses, usernames, profile URLs and plain text passwords of 33+ million users.

After removing duplicates, Troy Hunt has added the dump to the Have I Been Pwned? service, which potentially affected users can use to check whether they’ve been affected. He also dated the data dump to 2017 because the year was included in the data dump’s file name.

When did the breach happen?

The story of this data breach and leak is an interesting one.

There have been rumors about a supposed LiveJournal breach for years, though the blogging platform, which is owned by Russian media company Rambler Media Group, never confirmed them.

Back in 2018, Hunt received reports about a sextortion campaign targeting LiveJournal users and using their passwords:

Denise Paolucci, one of the owners of Dreamwidth, an online journal service based on the LiveJournal codebase (and with a significant crossover in user base), said on Tuesday that the data dump has been available on the black market since at least October of 2018, when they first reported people getting spam extortion emails with passwords in them.

“Beginning in March of 2020, and again in May of 2020, we saw several instances of Dreamwidth accounts being broken into and used for spam. We believed at the time, and continue to believe, that the source of the password information being used to break into these accounts is the same black-market file that claims to be LiveJournal password data. Every user we asked whether they had used the compromised password on LiveJournal before confirmed that they had,” she explained.

“We have no way to tell for sure whether LiveJournal has actually had a data breach, or whether the file that’s circulating is real or fake. All we can say for certain is that none of the evidence we’ve seen has disproven the claim made by the people offering the file that the file contains usernames and passwords taken from LiveJournal. We’ve contacted LiveJournal about our findings several times, and they’ve told us each time that they don’t believe the situation warrants disclosure to their users. However, at this point we must advise that you treat the file as legitimate and behave as though any password you used on LiveJournal in the past may be compromised.”

Past and current LiveJournal users are advised to change their passwords to a new, long and unique one and to do the same on any other account where they used the same one.

EasyJet data breach: 9 million customers affected

British low-cost airline group EasyJet has revealed on Tuesday that it “has been the target of an attack from a highly sophisticated source” and that it has suffered a data breach.

EasyJet data breach

The result? Email address and travel details of approximately 9 million customers and credit card details (including CVV numbers) of 2,208 customers were accessed.

How did the attackers manage to breach EasyJet?

EasyJet did not share in their official notice about the incident when it happened, but told the BBC that they became aware of it in January and that the customers whose credit card details were stolen were notified in early April.

They also did not say how the attackers got in, only that it seems that they were after “company intellectual property.” Grabbing customer info might have been an afterthought or a secondary goal, then.

Richard Cassidy, senior director security strategy at Exabeam, says that by looking at recent breaches in the aviation industry, the tools, tactics and procedures (TTPs) being used are largely the same ones that have led to significant breaches in other industries.

“Attackers need credentials to access critical data – we can be certain of this – and often it is social engineering techniques that reveal those credentials. They then laterally move through systems and hosts to expand their reach and embed themselves within the infrastructure, providing multiple points of entry and exit. If an attacker can achieve this – as we are seeing here – it is then a case of packaging and exfiltrating critical data,” he added.

“Some airlines are doing it right – implementing state of the art behavioural analytics technologies that learn the normal behaviour of the network and immediately notify the security team when anomalies occur. Many, however, still need to understand that there is a better way to manage security, risk and compliance requirements and it most certainly is not ‘what we’ve always done’. In an industry that has defined ‘automation’ and ‘process efficiencies’, applying the same to Information Security would quite literally revolutionise their ability to detect, respond and mitigate against the largely traditional raft of attack TTP’s we’ve seen targeted at aviation this past decade.”

Professor Alan Woodward of the University of Surrey noted that the stolen credit card information might have been the result of a Magecart attack:

It would not be the first time for an airline to be targeted by Magecart attackers – British Airways was hit in 2018.

Advice for affected customers

“There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the ICO [the UK’s data protection watchdog], we are communicating with the approximately 9 million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing,” said EasyJet Chief Executive Officer Johan Lundgren.

“We are advising customers to continue to be alert as they would normally be, especially should they receive any unsolicited communications. We also advise customers to be cautious of any communications purporting to come from easyJet or easyJet Holidays.

Unsolicited communications may take the form of fake invoices, refund offers, requests for additional data, and so on.

“Always check the sender name and email address match up and if you’re being asked to carry out an urgent action, verify the legitimacy of the request by contacting EasyJet directly using details on their website,” advised Tim Sadler, CEO, Tessian.

“Cybercriminals have not missed a trick to capitalize on the COVID-19 crisis, and we’ve seen a huge increase in the number of cyber attacks and scams during this time. The travel industry especially has been severely impacted by COVID-19, and there’s no telling how much more damaging this cyber breach will be to EasyJet’s future. Moving forward, organisations should prioritise security protocols, implement sophisticated protection software, and ensure all employees are aware of security best practices, and carrying them out at all times.”

The UK National Cyber Security Centre (NCSC) has advised affected customers to:

  • Be vigilant against any unusual activity in their bank accounts or suspicious phone calls and emails asking them for further information
  • Change their password on their EasyJet accounts (and other accounts that have the same password)
  • Check if their account has appeared in any other public data breaches, and to
  • Depending on their nature, report any fraud attempts to the police, the NCSC, and their bank’s fraud department.

Money is still the root of most breaches

Verizon has released its annual Data Breach Investigations Report (DBIR), which offers an overview of the cyber security incidents and data breaches that happened in/were discovered in the past year.

Based on an analysis of incident and breach reports by 81 contributing organizations – companies, CERTs, law enforcement agencies and cybercrime units, etc. – from around the world, the DBIR offers insight into current cyber attack trends and the threats organizations in various industry verticals and parts of the world face.

2019 cyber attack trends: the “WHO”

The researchers analyzed 32,002 security incidents that resulted in the compromise of an information asset. Of those, 3,950 were data breaches, i.e., incidents that resulted in the confirmed disclosure of data to an unauthorized party.

The report is massive, so we’ll highlight some interesting tidbits and findings:

  • 70% of breaches perpetrated by external actors (except in the healthcare vertical, where it’s 51% external, 48% internal)
  • 86% of breaches were financially motivated
  • Organized criminal groups were behind 55% of breaches
  • 72% of breaches involved large business victims

2019 cyber attack trends

“This year’s DBIR has once again highlighted the principal motive for the vast majority of malicious data breaches: the pursuit of profit. This is surprising to some, given the extensive media coverage of national security-related breaches. However, it should not be. Most malicious cyber actors are not motivated by national security or geopolitical objectives, but rather by simple greed,” the data scientists who compiled the report noted.

“Financially motivated breaches are more common than Espionage by a wide margin, which itself is more common than all other motives (including Fun, Ideology and Grudge, the traditional ‘go to’ motives for movie hackers).”

2019 cyber attack trends: the “HOW”

The majority of data breaches (67% or more) are caused by credential theft, social attacks (phishing, business email compromise, pretexting) and errors (mostly misconfiguration and misdelivery of documents and email).

“These tactics prove effective for attackers, so they return to them time and again. For most organizations, these three tactics should be the focus of the bulk of security efforts,” they advised.

Another interesting finding is that attacks on web apps were a part of 43% of breaches, which is more than double the results from last year. The researchers put this down to more workflows moving to cloud services and attackers adjusting to the shift.

“The most common methods of attacking web apps are using stolen or brute-forced credentials (over 80%) or exploiting vulnerabilities (less than 20%) in the web application to gain access to sensitive information,” they shared.

Less than 5% of breaches involved exploitation of a vulnerability, and it seems that most organizations are doing a good job at patching – at least at patching the assets they know about.

“Most organizations we see have internet-facing assets spread across five or more networks. It’s the forgotten assets that never get patched that can create dangerous holes in your defenses,” the authors pointed out.

Most malware is still delivered by email and the rest via web services. Attackers have mostly given up on cryptocurrency mining malware, RAM scrapers and malware with vulnerability exploits, but love password dumpers, malware that captures app data, ransomware and downloaders.

Even though it is a small percentage of all incidents, financially motivated social engineering is on the rise – and attackers have largely stopped asking for W-2 data of employees and switched to asking for the cash directly.

Cloud assets were involved in about 22% of breaches this year, while the rest were on-premises assets.

“Cloud breaches involved an email or web application server 73% of the time. Additionally, 77% of those cloud breaches also involved breached credentials. This is not so much an indictment of cloud security as it is an illustration of the trend of cybercriminals finding the quickest and easiest route to their victims,” they noted.

Use the information to improve defenses

An interesting finding that can be used by defenders to their advantage is that attackers prefer short paths to a data breach. Throwing things in their way to increase the number of actions they have to take is likely to decrease their chance of making off with the data.

Knowing which actions happen at the beginning, middle and end of incidents and breaches can also help defenders react quickly and with purpose.

2019 cyber attack trends

“Malware is rarely the first action in a breach because it obviously has to come from somewhere. Conversely, Social actions almost never end an attack. In the middle, we can see Hacking and Malware providing the glue that holds the breach together. And so, [another] defensive opportunity is to guess what you haven’t seen based on what you have,” the authors noted.

“For example, if you see malware, you need to look back in time for what you may have missed, but if you see a social action, look for where the attacker is going, not where they are. All in all, paths can be hard to wrap your head around, but once you do, they offer a valuable opportunity not just for understanding the attackers, but for planning your own defenses.”

What should organizations do to bolster their cyber security posture?

DBIR report author and Information Security Data Scientist Gabe Bassett advises organizations to keep doing what they are doing: anti-virus at the host, network, and proxy level plus patching and filtering (e.g., with firewalls) will help push the attackers towards other attacks.

“Address the human element. The top actions (phishing, use of stolen credentials, misconfiguration, misdelivery, and misuse) all involve people. No-one is perfect so find ways to set people up for success and be prepared to handle their mistakes,” he noted, and added that all organizations should have some level of security operations.

“You can’t make the defenses high enough, wide enough, deep enough, or long enough to keep an attacker out if you don’t have someone watching the wall. For large organizations this means having a dedicated security operations center. For smaller ones it may mean taking advantage of economies of scale, either by acquiring managed security services directly, or by using services (payment systems, cloud services, and other managed services that have security operations incorporated).

Finally, to add extra steps to attackers’ path and to deter all but the most persistent ones, they should use two factor authentication whenever possible.

Shifting responsibility is causing uncertainty and more security breaches

Data security is creating fear and trust issues for IT professionals, according to a new Oracle and KPMG report.

shifting responsibility security

The study of 750 cybersecurity and IT professionals across the globe found that a patchwork approach to data security, misconfigured services and confusion around new cloud security models has created a crisis of confidence that will only be fixed by organizations making security part of the culture of their business.

Data security is keeping IT professionals awake at night

Demonstrating the fear and trust issues experienced by IT professionals, the study found that IT professionals are more concerned about the security of their company’s data than the security of their own home.

  • IT professionals are 3X more concerned about the security of company financials and intellectual property than their home security.
  • IT professionals have concerns about cloud service providers. 80 percent are concerned that cloud service providers they do business with will become competitors in their core markets.
  • 75 percent of IT professionals view the public cloud as more secure than their own data centers, yet 92 percent of IT professionals do not trust their organization is well prepared to secure public cloud services.
  • Nearly 80 percent of IT professionals say that recent data breaches experienced by other businesses have increased their organization’s focus on securing data moving forward.

Legacy data security approaches leave IT professionals playing whac-a-mole

IT professionals are using a patchwork of different cybersecurity products to try and address data security concerns, but face an uphill battle as these systems are seldom configured correctly.

  • 78 percent of organizations use more than 50 discrete cybersecurity products to address security issues; 37 percent use more than 100 cybersecurity products.
  • Organizations who discovered misconfigured cloud services experienced 10 or more data loss incidents in the last year.
  • 59 percent of organizations shared that employees with privileged cloud accounts have had those credentials compromised by a spear phishing attack.
  • The most common types of misconfigurations are:
    • Over-privileged accounts (37 percent)
    • Exposed web servers and other types of server workloads (35 percent)
    • Lack of multi-factor authentication for access to key services (33 percent)

Shifting responsibility and security

Organizations are moving more business-critical workloads to the cloud than ever before, but growing cloud consumption has created new blind spots as IT teams and cloud service providers work to understand their individual responsibilities in securing data. Shifting responsibility is clearly a huge issue, and confusion has left IT security teams scrambling to address a growing threat landscape.

  • Nearly 90 percent of companies are using SaaS and 76 percent are using IaaS. 50 percent expect to move all their data to the cloud in the next two years.
  • Shared responsibility security models are causing confusion. Only 8 percent of IT security executives state that they fully understand the shared responsibility security model.
  • 70 percent of IT professionals think too many specialized tools are required to secure their public cloud footprint.
  • 75 percent of IT professionals have experienced data loss from a cloud service more than once.

It’s time to build a security-first model

To address increasing data security concerns and trust issues, cloud service providers and IT teams need to work together to build a security-first culture. This includes hiring, training, and retaining skilled IT security professionals, and constantly improving processes and technologies to help mitigate threats in an increasingly expanding digital world.

  • 69 percent of organizations report their CISO reactively responds and gets involved in public cloud projects only after a cybersecurity incident has occurred.
  • 73 percent of organizations have or plan to hire a CISO with more cloud security skills; over half of organizations (53 percent) have added a brand new role called the Business Information Security Officer (BISO) to collaborate with the CISO and help integrate security culture into the business.
  • 88 percent of IT professionals feel that within the next three years, the majority of their cloud will use intelligent and automated patching and updating to improve security.
  • 87 percent of IT professionals see AI/ML capabilities as a “must-have” for new security purchases in order to better protect against things like fraud, malware and misconfigurations.

shifting responsibility security

“The lift-and-shift of critical information to the cloud over the last couple of years has shown great promise, but the patchwork of security tools and processes has led to a steady cadence of costly misconfigurations and data leaks. Positive progress is being made, though,” said Steve Daheb, Senior Vice President, Oracle Cloud.

“Adopting tools that leverage intelligent automation to help close the skills gap are on the IT spend roadmap for the immediate future and the C-level is methodically unifying the different lines of business with a security-first culture in mind.”

“In response to the current challenging environment, companies have accelerated the movement of workloads, and associated sensitive data, to the cloud to support a new way of working, and to help optimize cost models. This is exposing existing vulnerabilities and creating new risks,” said Tony Buffomante, Global Co-Leader and U.S. Leader of KPMG’s Cyber Security Services.

“To be able to manage that increased threat level in this new reality, it is essential that CISOs build security into the design of cloud migration and implementation strategies, staying in regular communication with the business.”

Identity-related breaches on the rise, prevention still a work in progress

The number of workforce identities in the enterprise is growing dramatically, largely driven by DevOps, automation, and an increase in enterprise connected devices, which will only continue to accelerate identity growth, an IDSA survey of 502 IT security and identity decision makers reveals.

identity-related breaches

At the same time, compromised identities remain one of the leading causes of a data breach. According to the study, the vast majority of IT security and identity professionals have experienced an identity-related breach at their company within the past two years, with nearly all of them reporting that they believe these breaches were preventable.

“When approaching identity security, professionals must first consider a range of desired outcomes, or results they want to achieve, and then chart their paths accordingly,” said Julie Smith, executive director of the IDSA.

“According to security and identity professionals, these outcomes are still a work in progress, with less than half reporting that they have fully implemented any of the identity-related security outcomes that the IDSA has initially identified as critical to reducing the risk of a breach. In fact, the research shows a clear correlation between a focus on identity-centric security outcomes and lower breach levels.”

Identity-related breaches are ubiquitous

  • 94% have had an identity-related breach at some point
  • 79% have had an identity-related breach within the past two years
  • 66% say phishing is the most common cause of identity-related breaches
  • 99% believe their identity-related breaches were preventable

Identity security is a work in progress

  • Most identity-related security outcomes are still in progress or planning stages
  • Less than half have fully implemented key identity-related security outcomes
  • 71% have made organizational changes to the ownership of identity management

Forward-thinking companies are showing results

  • Forward-thinking companies are much more likely to have fully implemented key identity-related security outcomes
  • Only 34% of companies with a “forward-thinking” security culture have had an identity-related breach in the past year — far fewer than the 59% of companies with a “reactive” security culture

Businesses vulnerable to emerging risks have a gap in their insurance coverage

The majority of business decision makers are insured against traditional cyber risks, such as breaches of personal information, but most were vulnerable to emerging risks, such as malware and ransomware, revealing a potential insurance coverage gap, according to the Hanover Insurance Group.

insurance coverage gap

The report surveyed business decision makers about cyber vulnerabilities and risk mitigation efforts.

Insurance purchasing decisions influenced by media coverage

Most businesses surveyed indicated they had purchased cyber insurance, and more than 70% reported purchasing a policy on the recommendation of an independent insurance agent.

Purchasing decisions also were heavily influenced by media coverage and prior attack experience. Nearly 90% of study respondents reported experiencing a cyberattack during the past year, and recognized a cyberattack could have a disastrous impact on their businesses.

Other key findings: The insurance coverage gap

  • The top cybersecurity fear for businesses was breach of personally identifiable information, however, malware-related attacks were the most commonly experienced attack. One in two businesses experienced a malware-related attack in the last year while fewer than one in five businesses experienced a breach of personal information
  • 60% of businesses reported they would be unprofitable in less than two days if they lost access to critical systems or data. And, 92% reported they would experience a negative financial impact
  • Over 40% of businesses had no cyber insurance or limits of $1 million or less, which may not adequately cover the cost of the average cyberattack
  • Only 11% of businesses were concerned about cyberattacks threatening their supply chains, yet, 88% reported being dependent on third parties

insurance coverage gap

The role of independent insurance agents

The study also affirmed the important role independent insurance agents can play as experienced advisers, offering risk management counsel and services to help small to mid-sized business owners protect their operations and maximize the benefits of their cyber insurance programs.

“Having the appropriate cyber protection will only become more important as new technologies emerge, businesses become more connected and cyber criminals develop more sophisticated methods,” said Bryan J. Salvatore, president of specialty insurance at The Hanover.

“As businesses grow in complexity, the advice of an independent agent becomes increasingly important in helping business owners understand the many risks they may face and mitigate those evolving threats.”

Unexpected downtime is crippling businesses, causing revenue losses

Unexpected downtime is a major challenge for SMBs today. The IT systems of nearly a quarter of SMBs have gone offline in the past year, according to a research from Infrascale.

unexpected downtime

SMBs said the downtime creates business disruption and decreases employee productivity. 37% of SMBs in the survey group said they have lost customers and 17% have lost revenue due to downtime.

“Customer retention is essential for business success,” said Russell P. Reeder, CEO of Infrascale. “It can cost up to five times more to attract a new customer than to retain an existing one, and when customers leave, businesses lose out on vital profit and operational efficiencies. Especially in today’s competitive environment, it’s challenging enough to retain customers. With all the cost-effective solutions available, downtime shouldn’t be a reason for concern.”

19% of SMBs admit that they do not feel their businesses are adequately prepared to address and prevent unexpected downtime. Of those SMBs that said they feel unprepared for unexpected downtime, 13% said they do not feel their business is prepared for unexpected downtime because they have limited time to research solutions to prevent downtime.

28% attributed not feeling prepared for unexpected downtime due to IT teams at their organization being stretched. The same share (28%) said they don’t think their business is at risk from unexpected downtime. Yet 38% of SMBs said they don’t know what the cost of one hour of downtime is for their businesses.

The research is based on a survey of more than 500 C-level executives at SMBs. CEOs represented 87% of the group. Most of the remainder was split between CIOs and CTOs.

Downtime can prompt valuable customers to head for the exit

“Customers today are extremely demanding,” said Reeder. “They are intolerant of delays and downtime.”

Thirty-seven percent of the SMB survey group admitted to having lost customers due to downtime issues. This problem was especially pronounced among business-to-business entities; 46% of B2B businesses have experienced such a loss. As for business-to-consumer SMBs, 25% said they have lost customers due to downtime problems.

Downtime also leads to business disruption and loss of productivity and reputation

Loss of customers and revenue are just two of the downsides of IT system-related downtime. Downtime also can hurt employee productivity and adversely impact a company’s reputation.

SMBs said the biggest downtime risks are business disruption (29%) and decreased employee productivity (21%). As noted above, 17% have lost revenue. Reputation impact (16%) and cost (13%) came in next.

Software failure (53%) and cybersecurity issues (52%) are the most common causes of the downtime that creates these business challenges. A significant but far smaller share of the SMB survey group blamed downtime on hardware failure (38%), human error (36%), natural disaster (30%), and/or hardware theft (24%).

SMB downtime may not last long, but it is still costly

10% of SMBs said their per-hour downtime cost was more than $50,000. Thirteen percent said their per-hour downtime cost was between $40,001 and $50,000.

25% of SMBs said the per-hour cost of downtime for their business was between $20,001 and $40,000. A slightly larger share (26%) said they incur a loss of $10,000 to $20,000 for each hour of downtime, while 27% said their cost of downtime per hour was under $10,000.

The good news is that the survey group indicated downtime typically lasts for minutes instead of hours. 22% of the survey group said their downtime events typically last anywhere from five to 15 minutes.

Just 17% of the group said their downtime commonly stretches on for 15 to 30 minutes, and another 17% said an hour. Just 6% said over an hour.

“The downtime duration results may seem reassuring, but in today’s challenging and fast-moving business environment, every second counts,” said Reeder. “Even if your company was down for minutes, just think of the reputational damage it can cause as well as real costs when data cannot be recovered. There is really no excuse these days for not backing up your data.”

Despite the many downsides of downtime, some SMBs remain unprepared

19% of the B2B survey group said they do not feel their business is prepared for unexpected downtime, and B2C organizations feel even less prepared. 27% of B2C survey participants said they believe their business is unprepared for unexpected downtime.

“These survey results illustrate that there’s plenty of room for improvement when it comes to business uptime,” Reeder added.

“Organizations can benefit from application and server backup, ransomware mitigation, disaster recovery as a service (DRaaS), encryption, and state-of-the-art endpoint protection. Investments in such solutions enable them to avoid downtime and enjoy business continuity, which are essential for a growing and thriving business.”